Update your Vanilla Forums

Howdy,
We've just released 2.1.13, which addresses multiple security issues issues found during a self-initiated audit. Update should be applied immediately to all forums running the 2.1 release branch (or earlier). You can find full details on what changes were made and how to upgrade here.

Two weeks ago, they released another security update. They needed to release FOUR different revisions until all the regressions introduced in the security update were fixed. This did take them several days.

New update released some days ago and today another revision is submitted to fix one more regression. So a total of four revisions needed in two weeks just to fix fucking security updates.

I didn't get a notification about this new security update because they didn't care to tag the release in GitHub. There isn't any reliable way to get security notifications from them.

Guys: don't use Vanilla Forums for any project you are planning to start, really. The codebase is crap, the security side is crap too and the developers aren't qualified to ship a production ready product.

Discourse has a lot of the right ideas, but unfortunately 1) it's written in Ruby (which means it is a nightmare to deploy), and 2) it requires Javascript to be enabled to use it (even just to read), which is unacceptable for a forum.

Two weeks ago, they released another security update. They needed to release FOUR different revisions until all the regressions introduced in the security update were fixed. This did take them several days.
New update released some days ago and today another revision is submitted to fix one more regression. So a total of four revisions needed in two weeks just to fix fucking security updates.
I didn't get a notification about this new security update because they didn't care to tag the release in GitHub. There isn't any reliable way to get security notifications from them.

Guys: don't use Vanilla Forums for any project you are planning to start, really. The codebase is crap, the security side is crap too and the developers aren't qualified to ship a production ready product.

Flarum is cool, but I'm waiting until it's a bit more feature-complete before deploying it. Discourse is a resource hog (and then some!), but it's pretty stable and flexible once you get it up and running.

Nyr said: Guys: don't use Vanilla Forums for any project you are planning to start, really. The codebase is crap, the security side is crap too and the developers aren't qualified to ship a production ready product.

And yet, despite many, many attempts I don't seem to be able to convince some people that we should switch from Vanilla to a more mature, secure, and stable product.

This product is going to bite us in the ass again sooner or later and all I can do at that point is say "I told you so" and try to iron things out for the people that wouldn't listed to me.

@Mun said:
mpkossen as of current there is no good way to migrate to another forum. So start from scratch as well.

Writing a migration script should be worth the effort IMHO. What's worse: having to spend 16-32 hours on writing a migration script or having your forum owned again and your reputation blown to pieces?

I believe there is at least one solution with an importer that can then export to other solutions. Migrations aren't easy, they never are. But at some point it is worth the effort.

@mpkossen I'm not saying it isn't worth it. I'm saying that after I looked for a proper migration solution that I couldn't find any. Something to consider as part of the move (that will happen eventually).

@Mun said:
mpkossen I'm not saying it isn't worth it. I'm saying that after I looked for a proper migration solution that I couldn't find any. Something to consider as part of the move (that will happen eventually).

It's simply not the "LET" feeling when we'd switch to vMyPHPBoardBB or whatever. Correct, there are themes and CC or mpkossen could work for hours to get the shit done, but wouldn't you miss Vanillas crappy codebase, security and developers, who are not qualified to ship a production ready product ?

mpkossen said: The UX could work on any system. It shouldn't be confused for Vanilla.

Yes, it's possible - it's just very hard on many platforms. Most forum software doesn't support Markdown for example, and subtle things like jumping to the last unread post when clicking a thread can be very hard to implement; especially when the vendor has a habit of making unannounced breaking changes (looking at you, IPB).

Making such a theme for any other forum system isn't as large an undertaking as rewriting the forums is.

Not necessarily. A forum isn't exactly a complex thing to write, especially with the (lack of) features of Vanilla. Sometimes, modifying existing things really does take more time than starting anew.

@joepie91 said:
Not necessarily. A forum isn't exactly a complex thing to write, especially with the (lack of) features of Vanilla. Sometimes, modifying existing things really does take more time than starting anew.

I must say that markdown has me puzzled. For the same functions, it's a lot harder than html because there are so many versions and you never know what to expect. It is in fact a specialist language. With html any fool can just google and find the answer in two seconds. Consider also that this is a tech forum - or isn't it? There's nothing wrong with expecting users to use basic html or having the knowledge to google for instructions. Other tech forums allow html, even The Register which has a very wide range of users (9.5 million readers). In their words: "HTML is the open standard of the web. Deal with it, bitches." In my opinion the fact that LET uses markdown is an insult to the technical level of its users.

"You CANNOT DOWNGRADE after upgrading because 2.2 contains a change in password hashing that is irreversible. You would lock yourself (and anyone else who's logged in since the upgrade) out of your account by downgrading."